Saikali and Boos point out that “reports generated from privacy and security audits and data breach investigations often contain unintentionally harmful statements about a company’s security safeguards or privacy practices.” Because of this, companies prefer to keep their reports private from plaintiffs’ attorneys and regulators, which isn’t always possible.

The only way to do that is to have counsel direct your investigation because “when investigations are directed by outside counsel to evaluate a company’s legal rights and obligations, they are subject to the same protections from disclosure as any other attorney-client communication.”

Saikali and Boos end their article by recommending that companies rely on outside counsel when pressured to disclose results of an internal investigation, saying, “External counsel’s management of these investigations carries with it the presumption of privilege, which both mitigates the risk of future disclosure and permits the breached entity to receive and interpret the information provided in the most efficient manner possible to manage a security incident and its aftermath.”